Enable OCSP Stapling on Your Server

Instructions for Enabling OCSP Stapling on Your Server

Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked.

The CRL protocol requires the browser to download potentially large amounts of SSL Certificate revocation information: certificate serial numbers and status of each certificate’s last publication date. The problem with the CRL protocol is that it can increase the time spent completing the SSL negotiation.

The OCSP protocol does not require the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a CA’s server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.

OCSP Stapling

OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.

OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the revocation requests directly from the client (browser). OCSP stapling also addresses concerns about OCSP SSL negotiation delays by removing the need for a separate network connection to a CA’s responders.